SSL Inspection, can you guess what is wrong?

This is the third time i have been asked if I consider it fine to copy an issuing CA:s keys and certificate to the new device the network department just installed for the simple reason that it needs to enroll certificates from a trusted CA, and be able to performe SSL Inspection on all outbound HTTPS traffic without causing certificate errors on the clients.

If you think about it for a while, and specially if your issuing CA is AD integrated, would not that mean that your network department can just impersonate any account in your AD? Sure you trust the network department but what about that device and the software used?

The main reason to do SSL Inspection is to be able to filter on the content of the "secure universal firewall bypassing protoocol", yes the bad guyes are using it to fool your IDS, IPS, Layer 7 Firewall etc. What do you think would happen if the SSL Inspection layer you are using hade som vulnerabilities, yes this kind of software does have vulnerabilities as well, that could be used by an attacker to extract your issuing CA keys and certificate and….

The best answer would be to create a new self signed CA certificate and trust that in your client computers for server authentication purposes such as to prove the identity of webservers. This CA should not be trusted by any of your servers and none of your DCs for som very clear reasons.

My advice to you is to be very carefull where you put your CA keys and how far you can trust the place!